File name:

pia-windows-x64-3.6.1-08339.exe

Full analysis: https://app.any.run/tasks/1bebaa94-43b2-404e-9c1d-eac151ff830f
Verdict: Malicious activity
Analysis date: December 19, 2024, 20:25:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

57644ED54E9AD4D6686B0FAAB7BFA4DB

SHA1:

B0195D1AE789ED8C2A26DDD78FE0E5BF8116B1F5

SHA256:

B407C39D82398AFF52602AE98A2B7CD904023A5F6D1E88416DC30B2C31A3CF56

SSDEEP:

196608:j8TwQn3fOsOurt8cw1Uaa2MyRcjW3Bs79KuKzBJ4Z/M0:j8TwGOsXGdT3BsZxKzbI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • pia-windows-x64-3.6.1-08339.exe (PID: 6528)
      • pia-service.exe (PID: 6756)
      • pia-wgservice.exe (PID: 6824)
      • pia-client.exe (PID: 6956)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Executable content was dropped or overwritten

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Executes as Windows Service

      • pia-service.exe (PID: 6756)

    • The process drops C-runtime libraries

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Process drops legitimate windows executable

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Creates a software uninstall entry

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Reads security settings of Internet Explorer

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Detected use of alternative data streams (AltDS)

      • pia-client.exe (PID: 6956)

  • INFO

    • Creates files in the program directory

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)
      • pia-service.exe (PID: 6756)

    • Checks supported languages

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)
      • pia-service.exe (PID: 6756)
      • pia-wgservice.exe (PID: 6824)
      • pia-client.exe (PID: 6956)

    • Reads the computer name

      • pia-service.exe (PID: 6756)
      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)
      • pia-wgservice.exe (PID: 6824)
      • pia-client.exe (PID: 6956)

    • The sample compiled with english language support

      • pia-windows-x64-3.6.1-08339.exe (PID: 6668)

    • Process checks computer location settings

      • pia-service.exe (PID: 6756)

    • Reads the time zone

      • pia-service.exe (PID: 6756)

    • Creates files or folders in the user directory

      • pia-client.exe (PID: 6956)

    • Reads the software policy settings

      • pia-service.exe (PID: 6756)

    • Reads the machine GUID from the registry

      • pia-service.exe (PID: 6756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:02 09:42:04+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 346624
InitializedDataSize: 24613888
UninitializedDataSize: -
EntryPoint: 0x2e424
OSVersion: 10
ImageVersion: -
SubsystemVersion: 10
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
6
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start pia-windows-x64-3.6.1-08339.exe pia-service.exe pia-wgservice.exe no specs conhost.exe no specs pia-client.exe no specs pia-windows-x64-3.6.1-08339.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6528"C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exe" C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\pia-windows-x64-3.6.1-08339.exe
c:\windows\system32\ntdll.dll
6668"C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exe" C:\Users\admin\Desktop\pia-windows-x64-3.6.1-08339.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\pia-windows-x64-3.6.1-08339.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6756"C:\Program Files\Private Internet Access\pia-service.exe"C:\Program Files\Private Internet Access\pia-service.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files\private internet access\pia-service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
6824"C:\Program Files\Private Internet Access\pia-wgservice.exe" /cleaninterface wgpia0C:\Program Files\Private Internet Access\pia-wgservice.exepia-service.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
1
Modules
Images
c:\program files\private internet access\pia-wgservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
6832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepia-wgservice.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6956"C:\Program Files\Private Internet Access\pia-client.exe" --clear-cacheC:\Program Files\Private Internet Access\pia-client.exepia-windows-x64-3.6.1-08339.exe
User:
admin
Company:
Private Internet Access Incorporated
Integrity Level:
MEDIUM
Description:
Private Internet Access
Version:
3,6,1,100
Modules
Images
c:\program files\private internet access\pia-client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
91 659
Read events
91 649
Write events
10
Delete events
0

Modification events

(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piavpn
Operation:writeName:URL Protocol
Value:
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:DisplayName
Value:
Private Internet Access
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:InstallLocation
Value:
C:\Program Files\Private Internet Access
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:UninstallString
Value:
C:\Program Files\Private Internet Access\uninstall.exe
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:Publisher
Value:
Private Internet Access, Inc.
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:DisplayVersion
Value:
3.6.1+08339
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Private Internet Access\pia-client.exe
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:URLInfoAbout
Value:
https://www.privateinternetaccess.com/
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:EstimatedSize
Value:
85210
(PID) Process:(6668) pia-windows-x64-3.6.1-08339.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33023371-7761-4F81-BBB1-0E0D0D175ACF}
Operation:writeName:NoModify
Value:
1
Executable files
149
Suspicious files
351
Text files
404
Unknown types
1

Dropped files

PID
Process
Filename
Type
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\brand.txttext
MD5:1A212F8DB4799461E7B4EA4C5316BD4E
SHA256:0CCEDD0B0F8D3B7812836DF5B13D7F24935863F9D1302513E72EDF3ACA2B2261
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\architecture.txttext
MD5:0027F42E1E5DFCB4FD5F8F9C6DB89AF3
SHA256:7520B5A1B312EFDE4FD7E2793EF4BC0CF8F1C235F778D203AB7216A0E31B3880
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\LICENSE.txttext
MD5:50B53397867963369D87695B4E70BE7F
SHA256:6EB99D0D071493B43AF549145F3CC311EB8EF593B4FB2D8C9E8A8743255FDA6B
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\modern_servers.jsontext
MD5:3E9EA64409B60C7D0A0D18EC6B9CA8E1
SHA256:EFE8645165FD6BE6EF179553458A8F01B8D6D2FA4618488EE66A6D6D41E8622C
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\modern_region_meta.jsontext
MD5:BEC6CEF4EDE461FE7757D058960F1A33
SHA256:077F3FA286E27561935D0284976E0670FB76F579A140EA9156F1384D298FF584
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\modern_shadowsocks.jsontext
MD5:58DE1F95261F81AA10D95924310BE96C
SHA256:6E7ABEB4D01261A0E6A89FD02C5341502E91251B7551C5E69162DE36B90417FA
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\openvpn_updown.battext
MD5:73A2EE74F3A9556C6649F20C439F6459
SHA256:FB0635A6DA420CA611925EAD022C76815B0A174B6FB37D9EFFF211DAC3E3AA80
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\QtQml\Models\plugins.qmltypestext
MD5:12C72D40183F81FEBBB334A41E6BB283
SHA256:0ECAFE726D4DD08A436EA4EA85D205E53D959C01DC8DBAC7D515688C6B6D3ED5
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\Qt\labs\platform\qmldirtext
MD5:D11ABFC9128AEAC41EC3BF28853847EB
SHA256:F8183A678B3EE9179C6AC6B05CA23CF50EA03FF2CAC71159A813A984E96BD42D
6668pia-windows-x64-3.6.1-08339.exeC:\Program Files\Private Internet Access\QtQml\Models\qmldirtext
MD5:02B22FC3631B6E623F6BAA5B8A315A11
SHA256:64A1E77E7EAB4966385BBB057122784A82352AD229EA06AC4EDEB6787E58DC3B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
53
DNS requests
10
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
GET
172.64.147.163:443
https://www.privateinternetaccess.com/clients/desktop/release
US
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
6756
pia-service.exe
GET
172.64.147.163:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
GET
104.18.159.201:443
https://serverlist.piaservers.net/shadow_socks
US
unknown
GET
104.18.40.93:443
https://api.privateinternetaccess.com/api/client/status
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3576
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6756
pia-service.exe
45.9.250.46:443
M247 Ltd
AE
unknown
6756
pia-service.exe
146.70.102.2:443
M247 Ltd
AE
unknown
6756
pia-service.exe
104.18.40.93:443
www.privateinternetaccess.com
CLOUDFLARENET
unknown
6756
pia-service.exe
172.64.147.163:443
www.privateinternetaccess.com
CLOUDFLARENET
US
unknown
6756
pia-service.exe
31.171.154.114:443
Keminet SHPK
AL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.212.174
whitelisted
www.privateinternetaccess.com
  • 104.18.40.93
  • 172.64.147.163
unknown
api.privateinternetaccess.com
  • 172.64.147.163
  • 104.18.40.93
unknown
www.bing.com
  • 104.126.37.130
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.128
  • 104.126.37.129
  • 104.126.37.145
  • 104.126.37.176
  • 104.126.37.123
  • 104.126.37.163
whitelisted
serverlist.piaservers.net
  • 104.18.159.201
  • 104.19.240.167
whitelisted
www.piaproxy.net
  • 172.64.150.50
  • 104.18.37.206
unknown
self.events.data.microsoft.com
  • 52.168.117.171
whitelisted

Threats

PID
Process
Class
Message
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
6756
pia-service.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Trickbot
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pia-windows-x64-3.6.1-08339.exe